Every day I come across network techs who continue to rely on SPAN ports for their network access method. This blows my mind as its been proven time and again why you shouldn’t rely on SPAN ports. Let me share with you some of those reasons why:
First - Spanning or mirroring changes the timing of the frame interaction (what you see is not what really happened!).
Second - The spanning algorithm is not designed to be the primary focus or the main function of the device like switching or routing, so the first priority is not spanning and if replicating a frame becomes an issue, the hardware will temporally drop the SPAN process resulting in dropped frames and timing that is way off.
Third - If the load on the bus of the SPAN port becomes overloaded frames are just dropped along with all frames that are corrupted in any way.
Fourth – Proper spanning requires that a network engineer configure the switches properly through Line Code and this takes away from the more important tasks that network engineers have. Many times configurations can become a political issue (constantly creating contention between the IT team, the security team and the compliance team).
Fifth – A SPAN port drops all packets that are corrupt, those that are below the minimum size or oversized, so all frames are not passed on. All of these events can occur and no notification is sent to the user, so there is no guarantee that one will get all the data required for proper analysis. Corrupted CRC frames can come from many issues and they are important to know.
Sixth - A SPAN port is not a passive visibility technology. Some may say that SPAN port access is a passive data access solution – but passive means “having no effect”. However spanning (mirroring) does have measurable and non-repeatable/variable effect on the data that is delivered to analysis and storage equipment.
Seventh - SPAN ports are not a scalable technology. With Gigabit, 10 Gigabit and up technologies the maximum bandwidth is now twice the base bandwidth – so a Full Duplex (FDX) Gigabit link is now 2 Gigabits of data and a 10 Gigabit FDX link is now 20 Gigabits of potential data (– InterFrame gaps).
No switch or router can handle replicating/mirroring all this data plus handling its primary job of switching and routing. It is difficult if not impossible to pass all frames (good and bad one) including FDX traffic at full time rate, in real time at non blocking, no loss speeds.
In summary, the fact that SPAN port is not a passive data visibility access technology, or even entirely non-intrusive can be a problem particularly for data security and compliance monitoring or lawful intercept. Since there is no guarantee of absolute fidelity, it is likely that evidence gathered by this monitoring process will be challenged in the court of law.
[Not using SPAN? See if you are optimizing your network with our white paper What Your Network is Missing: 7 Tools to TAP]